This is an automated email from the ASF dual-hosted git repository. robertlazarski pushed a commit to branch master in repository https://gitbox.apache.org/repos/asf/axis-axis2-java-rampart.git
commit 1c36bd02d315743277ff3e370f5b5b8922a930a6 Author: Robert Lazarski <[email protected]> AuthorDate: Tue Jun 9 15:32:11 2026 -1000 RAMPART-371: rahas must report support for WS-SecurityPolicy assertions Rahas.canSupportAssertion() returned false unconditionally. During policy-driven module engagement, Axis2 (AxisDescription.engageModulesForPolicy) requires every module registered for an assertion's namespace to return true from canSupportAssertion, otherwise it throws "atleast one module can't support ...". The rahas module.xml registers for both the WS-SecurityPolicy 1.1 (http://schemas.xmlsoap.org/ws/2005/07/securitypolicy) and 1.2 (http://docs.oasis-open.org/ws-sx/ws-securitypolicy/200702) namespaces. For the 1.2 namespace rahas is the ONLY registered module, so its blanket false made every WS-SecurityPolicy-1.2 policy fail for generated clients with e.g. "atleast one module can't support {...200702}SupportingTokens". canSupportAssertion now returns true for assertions in the WS-SecurityPolicy 1.1 and 1.2 namespaces (mirroring the Rampart module), and false otherwise. Adds RahasModuleTest. Verified with a full clean -Papache-release verify (all modules, all tests including the 9 policy samples) on JDK 25. Co-Authored-By: Claude Opus 4.8 (1M context) <[email protected]> --- .../src/main/java/org/apache/rahas/Rahas.java | 18 ++++++- .../java/org/apache/rahas/RahasModuleTest.java | 59 ++++++++++++++++++++++ 2 files changed, 76 insertions(+), 1 deletion(-) diff --git a/modules/rampart-trust/src/main/java/org/apache/rahas/Rahas.java b/modules/rampart-trust/src/main/java/org/apache/rahas/Rahas.java index 19a93819..2cdd416f 100644 --- a/modules/rampart-trust/src/main/java/org/apache/rahas/Rahas.java +++ b/modules/rampart-trust/src/main/java/org/apache/rahas/Rahas.java @@ -25,6 +25,8 @@ import org.apache.axis2.description.AxisModule; import org.apache.axis2.modules.Module; import org.apache.neethi.Assertion; import org.apache.neethi.Policy; +import org.apache.ws.secpolicy.SP11Constants; +import org.apache.ws.secpolicy.SP12Constants; import org.opensaml.core.config.InitializationException; public class Rahas implements Module { @@ -48,7 +50,21 @@ public class Rahas implements Module { } public boolean canSupportAssertion(Assertion assertion) { - return false; + if (assertion == null || assertion.getName() == null) { + return false; + } + + String ns = assertion.getName().getNamespaceURI(); + + // The rahas module registers (in module.xml) for the WS-SecurityPolicy 1.1 + // and 1.2 namespaces, so it must report that it can support assertions in + // those namespaces. Returning false unconditionally vetoed every + // WS-SecurityPolicy assertion when rahas was engaged: Axis2 requires every + // module registered for an assertion's namespace to support it, so this + // produced "atleast one module can't support ...". For the WS-SP 1.2 + // (200702) namespace rahas is the only registered module, which made the + // veto fatal for generated clients (RAMPART-371). + return SP11Constants.SP_NS.equals(ns) || SP12Constants.SP_NS.equals(ns); } public void applyPolicy(Policy policy, AxisDescription axisDescription) diff --git a/modules/rampart-trust/src/test/java/org/apache/rahas/RahasModuleTest.java b/modules/rampart-trust/src/test/java/org/apache/rahas/RahasModuleTest.java new file mode 100644 index 00000000..d4c4fcb5 --- /dev/null +++ b/modules/rampart-trust/src/test/java/org/apache/rahas/RahasModuleTest.java @@ -0,0 +1,59 @@ +/* + * Licensed to the Apache Software Foundation (ASF) under one + * or more contributor license agreements. See the NOTICE file + * distributed with this work for additional information + * regarding copyright ownership. The ASF licenses this file + * to you under the Apache License, Version 2.0 (the + * "License"); you may not use this file except in compliance + * with the License. You may obtain a copy of the License at + * + * http://www.apache.org/licenses/LICENSE-2.0 + * + * Unless required by applicable law or agreed to in writing, + * software distributed under the License is distributed on an + * "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY + * KIND, either express or implied. See the License for the + * specific language governing permissions and limitations + * under the License. + */ +package org.apache.rahas; + +import javax.xml.namespace.QName; + +import junit.framework.TestCase; + +import org.apache.neethi.builders.PrimitiveAssertion; +import org.apache.ws.secpolicy.SP11Constants; +import org.apache.ws.secpolicy.SP12Constants; + +public class RahasModuleTest extends TestCase { + + /** + * RAMPART-371: rahas registers (in module.xml) for the WS-SecurityPolicy 1.2 + * namespace and is the only module registered for it, so it must report that it + * can support assertions in that namespace. Otherwise Axis2 policy validation + * fails with "atleast one module can't support {...200702}SupportingTokens". + */ + public void testSupportsWsSecurityPolicy12Namespace() { + Rahas rahas = new Rahas(); + assertTrue("rahas must support WS-SecurityPolicy 1.2 (200702) assertions", + rahas.canSupportAssertion(new PrimitiveAssertion( + new QName(SP12Constants.SP_NS, "SupportingTokens")))); + } + + public void testSupportsWsSecurityPolicy11Namespace() { + Rahas rahas = new Rahas(); + assertTrue("rahas must support WS-SecurityPolicy 1.1 assertions", + rahas.canSupportAssertion(new PrimitiveAssertion( + new QName(SP11Constants.SP_NS, "SupportingTokens")))); + } + + public void testDoesNotSupportUnrelatedAssertions() { + Rahas rahas = new Rahas(); + assertFalse("rahas must not claim support for unrelated namespaces", + rahas.canSupportAssertion(new PrimitiveAssertion( + new QName("http://example.com/unknown";, "Foo")))); + assertFalse("null assertion must not be supported", + rahas.canSupportAssertion(null)); + } +}
